我正在尝试使用 Spring Security SAML 实现 SSO,但是在从 SOAP 断言响应中解密密钥时发生错误。
SOAP 响应:
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"/>
<soap:Body>
<saml2p:ArtifactResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="ID-067d75bd-3193-4bd8-9852-44da67b015ce" InResponseTo="a590ga841bj851ii498bech5c29h377" IssueInstant="2021-09-29T07:23:59.439Z" Version="2.0" xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:coi-naturalperson="http://coi.gov.pl/attributes/naturalperson" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig11="http://www.w3.org/2009/xmldsig11#" xmlns:eidas="http://eidas.europa.eu/saml-extensions" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:naturalperson="http://eidas.europa.eu/attributes/naturalperson" xmlns:ns13="http://coi.gov.pl/saml-extensions" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xenc11="http://www.w3.org/2009/xmlenc11#">
<saml2:Issuer>symulator.login.gov.pl</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ds:Reference URI="#ID-067d75bd-3193-4bd8-9852-44da67b015ce">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml2 saml2p xenc"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2p:Response ID="ID-e15baf95-bfe2-4658-9ffe-097d84b636f3" InResponseTo="a4hj979di081ig2052572agg3f37h29" IssueInstant="2021-09-29T07:23:59.431Z" Version="2.0">
<saml2:Issuer>symulator.login.gov.pl</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ds:Reference URI="#ID-e15baf95-bfe2-4658-9ffe-097d84b636f3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml2 saml2p xenc"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:EncryptedAssertion>
<xenc:EncryptedData Id="_5ef019d753fd9b4faf52138cc8f4d9f0" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<xenc:EncryptedKey Id="_6147c823d9f485f3716099ee5efecdac">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256"/>
<ds:KeyInfo>
<xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES">
<xenc11:KeyDerivationMethod Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF">
<xenc11:ConcatKDFParams AlgorithmID="0000002A687474703A2F2F7777772E77332E6F72672F323030312F30342F786D6C656E63236B772D616573323536" PartyUInfo="0000001673796D756C61746F722E6C6F67696E2E676F762E706C" PartyVInfo="00000018776E696F73656B2E7572706C2D746573742E6E70632E706C">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
</xenc11:ConcatKDFParams>
</xenc11:KeyDerivationMethod>
<xenc:OriginatorKeyInfo>
<ds:KeyValue>
<dsig11:ECKeyValue>
<dsig11:NamedCurve URI="urn:oid:1.2.840.10045.3.1.7"/>
<dsig11:PublicKey>...</dsig11:PublicKey>
</dsig11:ECKeyValue>
</ds:KeyValue>
</xenc:OriginatorKeyInfo>
</xenc:AgreementMethod>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedAssertion>
</saml2p:Response>
</saml2p:ArtifactResponse>
</soap:Body>
</soap:Envelope>
日志:
2021-09-29 09:24:13.356 DEBUG 3052 --- [ XNIO-2 task-29] o.a.xml.security.algorithms.JCEMapper : Request for URI http://www.w3.org/2009/xmlenc11#aes256-gcm
2021-09-29 09:24:13.356 DEBUG 3052 --- [ XNIO-2 task-29] o.a.xml.security.encryption.XMLCipher : JCE Key Algorithm: AES
2021-09-29 09:24:15.024 DEBUG 3052 --- [ XNIO-2 task-29] o.a.xml.security.algorithms.JCEMapper : Request for URI http://www.w3.org/2001/04/xmlenc#kw-aes256
2021-09-29 09:24:15.024 DEBUG 3052 --- [ XNIO-2 task-29] o.a.xml.security.encryption.XMLCipher : JCE Algorithm = AESWrap
2021-09-29 09:24:16.327 ERROR 3052 --- [ XNIO-2 task-29] org.opensaml.xml.encryption.Decrypter : Error decrypting encrypted key
org.apache.xml.security.encryption.XMLEncryptionException: No installed provider supports this key: sun.security.ec.ECPrivateKeyImpl
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1495)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:708)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:639)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:794)
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535)
at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453)
at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:235)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)
...
环境:
Java 1.8 (291),在 Java 11 和 17 上尝试过,结果相同
Spring Boot 1.4.1
spring-security-saml2-core 1.0.10.RELEASE
opensaml-core 4.1.0
提供者:
- sun.security.provider.Sun sun.security.rsa.SunRsaSign
- sun.security.ec.SunEC com.sun.net.ssl.internal.ssl.Provider
- com.sun.crypto.provider.SunJCE sun.security.jgss.SunProvider
- com.sun.security.sasl.Provider
- org.jcp.xml.dsig.internal.dom.XMLDSigRI
- sun.security.smartcardio.SunPCSC
- org.bouncycastle.jce.provider.BouncyCastleProvider
- sun.security.mscapi.SunMSCAPI